CCPA Data Retention: Policies, Tips & Best Practices
Data privacy legislation has been making the news in recent years, though only four states have comprehensive consumer laws in effect — California, Colorado, Utah and Virginia. The first of those laws was the California Consumer Privacy Act (CCPA), which became effective in 2020.
But who exactly is affected by the CCPA, what types of data are involved, and how can businesses and organizations ensure compliance and consumer privacy?
We’ll answer those questions — and more — in this comprehensive guide.
What Is CCPA Data Retention & Why Is It Important?
The California Consumer Privacy Act gives consumers the right to know what personal data is being collected about them and how businesses are using that information. The legislation, which first took root as a ballot initiative sponsored by the Californians for Consumer Privacy, provides more transparency and control for consumers.
The CCPA became effective on January 1, 2020, and later that same year in November, voters passed a ballot initiative — the California Privacy Rights Act (CPRA) — which would amend the CCPA and provide additional privacy protections for consumers. The CPRA will go into effect on January 1, 2023.
At its core, the CCPA protects “personal information,” the definition of which is anything that “identifies, relates to, or could reasonably be linked with you or your household.” Examples of personal information include:
- Name
- Alias
- Address
- IP address
- Social security number
- Email address
- Driver’s license number
- Passport number
- Bank account number
- Medical information
- Health insurance information
- Records of products purchased
- Internet browsing and search history
- Fingerprints
It’s important to point out that this is not an exhaustive list. Also, personal information does not include anything that is publicly available, such government records, and any type of data that can’t be attributed to one particular person or household.
Only residents of California have rights under the CCPA.
CCPA Data Retention Laws
The details of the California Consumer Privacy Act provides consumers with the following:
- “The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.”
The CCPA also requires businesses and organizations to post and explain their privacy policies.
Who Does CCPA Data Retention Apply To?
The CCPA applies to for-profit companies and organizations that conduct business in California. You must meet at least one of the following stipulations:
- Have a gross annual revenue of at least $25 million
- Buy, receive, or sell personal information of at least 50,000 residents, households or devices in California
- Earn at least 50% of your annual revenue from selling the personal information of California residents
8 Steps To Remain Compliant Under CCPA
- Understand how the CCPA affects your company or organization. The first step with any new data privacy law or regulation is to understand the details. Is your business or organization required to be CCPA compliant?
- Know the details of the data you collect. Here are some important questions to consider: What types of personal information does your business or organization collect? How is that information handled and stored? Do you work with third-party data collectors? Do you share or sell the data, and if so, to whom? Under the CCPA, California consumers have a right to know the answers to these questions.
- Ensure privacy notices and policies are updated on a regular basis. To ensure compliance, all privacy policies must be updated to reflect what personal information is being collected from consumers and how it is being used. You must also disclose where the information comes from and whether it’s shared with any third parties.
- Create and implement a process for managing consumer inquiries. If a customer has a question about their personal information, a business or organization has 45 days to respond, which is why it’s important to have specific procedures in place that will ensure proper and efficient handling of all requests.
- Identify and update systems. IT departments should have the proper systems and solutions in place to not only protect consumer data but handle customer requests.
- Allow consumers a clear “opt-out” option. Include an easy-to-find link on your website that brings consumers to a webpage where they can opt out of having their personal information sold.
- Train your employees. Ensure that everyone in your business or organization understands the details of the CCPA. This could include holding comprehensive information sessions for new hires as well as refresher sessions for current employees.
- Evaluate your security and strengthen your cybersecurity protocols. This should be standard practice, but it’s especially important since California consumers can take legal action in the event of a data breach.
Best Practices for CCPA Compliance
Here are some additional best practices for CCPA compliance:
- Automate privacy requests. This will help ensure that requests are not lost in the shuffle among emails and spreadsheets.
- Keep all records, procedures, policies, etc. up to date. This bears repeating — make sure everything related to data retention is up to date.
- Use an archiving solution. An all-in-one archiving solution keeps email, social media and text messaging in a single, simple-to-use platform, making it easy to find the data you’re looking for.
FAQs About CCPA Data Retention
Q: What is the CCPA?
A: The California Consumer Privacy Act gives consumers the right to know what personal data is being collected about them and how businesses are using that information.
Q: What constitutes personal data, and are there any exclusions?
A: The CCPA defines personal data as anything “identifies, relates to, or could reasonably be linked with you or your household.” This does not include information that’s publicly available, such government records, or any type of data that can’t be attributed to one particular person or household.
Q: What are the consequences if a business fails to comply with the CCPA?
A: Failure to comply with the CCPA will result in serious financial penalties. Consumers may also file private lawsuits.
If you’re looking for an archiving solution to help ensure CCPA compliance, consider contacting the team at Intradyn for more information. We have extensive experience implementing archiving software and helping businesses and organizations of all sizes maintain compliance. Contact us today to get started.